Bevan Brittan's employment law report for December 2017
The High Court has found that an employer was vicariously liable for substantial compensation where a rogue employee caused a data breach. Sarah Lamont explains this important ruling.Read More
Philip Woolham on how pension schemes should be preparing, ahead of GDPR implementation in May 2018.Read more
Seasonal cheer from our news round-up comes in the form of updates on: the draft NHS Workforce Strategy; news of dramatic increases in tribunal claims; the latest on gender pay reporting; immigration reform for the New Year and gig working news. We also report on the Pensions Regulator showing its teeth and a Brexit breakthrough on work and residency rights.Read more
The High Court has found that an employer was vicariously liable for substantial compensation where a rogue employee caused a data breach. Sarah Lamont explains this important ruling.
The Data Protection Act 1998
The Data Protection Act 1998 (DPA) imposes wide obligations on those who collect personal data (data controller), as well as conferring a range of rights on individuals about whom data is collected (data subject).
The DPA requires a data controller to comply with various data protection principles. The specific principle relevant to the case reported below was data protection principle seven (DPP7), which states that data controllers must take
"appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, and damage to, personal data."
Employers can be liable for legal wrongs committed by employees where there is a sufficiently close connection between the employment and the wrongdoing. The question is whether the connection between the employment and the wrongful act is sufficiently close to justify imposing liability on the employer.
Mr Skelton was an IT auditor employed by the supermarket, Morrisons. In addition, Mr Skelton ran an online business selling a slimming drug.
Unfortunately for Mr Skelton, when he used Morrison's post room to send the slimming drug to a customer, the packaging broke and a white powder was seen by the post room staff. This caused some alarm and the police were called. Mr Skelton was arrested but later cleared.
However, that was not the end of the matter for Mr Skelton. Morrisons then launched its own internal disciplinary procedure against Mr Skelton, alleging he had caused distress, risked the shutdown of the post room and acted contrary to Morrisons' values. Mr Skelton appealed against the disciplinary action but his appeal was dismissed.
Mr Skelton then decided to take matters into his own hands and, apparently in revenge against Morrisons, he uploaded to the internet payroll data relating to almost 100,000 Morrisons employees. The data had been given to Mr Skelton, as one of a small number of 'super user' employees entrusted with access to the relevant software ('Peoplesoft'), on an encrypted USB stick, to forward to the supermarket's auditors, KPMG. However, Mr Skelton downloaded the payroll data onto his work computer, and copied it across to his own personal USB stick, which he then used to transfer the data to a file sharing site. The data consisted of the names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salary details of the employees in question.
Mr Skelton was arrested and charged with fraud, an offence under the Computer Misuse Act 1990 and under section 55 of the DPA. He was convicted and sentenced to eight years in prison.
A group of employees whose data was wrongly disclosed argued that Morrisons was both primarily liable and vicariously liable for the actions of Mr Skelton.
In Various claimants v Wm Morrisons Supermarket the High Court disagreed with the employees bringing the claim that Morrisons was primarily liable for the data breach, but agreed that Morrisons should be vicariously liable for the actions of Mr Skelton.
The reason that Morrisons was not primarily liable was that it was not the data controller at the time of the breach; that was Mr Skelton, by taking the decision on how the data on his laptop should be processed.
The High Court considered whether Morrisons was in breach of DPP7 because it had not taken appropriate technical and organisational measures to protect employees' data. The court found that Morrisons should have put in place a better system for the deletion of data when it was moved out of the secure Peoplesoft system. The court noted that, where data is held outside its usual secure storage system, there is an unnecessary risk of proliferation and disclosure – whether accidental or deliberate. However, the court went on to say that failure did not cause the unlawful disclosure; whatever measures were in place would not have prevented an individual who was determined to deliberately disclose personal information. Any measure which might be put in place – such as close monitoring of an employee's internet searches – would be disproportionately expensive and difficult to balance against an employee's right to a private life. Therefore, there was no primary liability under the DPA.
Notwithstanding that there was no direct liability for Morrisons under the DPA, the High Court found that Morrisons was vicariously liable for Mr Skelton's breach, taking into account the following factors.
There was, therefore, a sufficiently close connection between Mr Skelton's employment and the unlawful disclosure of data: handling and disclosing the data was required as part of his role, and handling and disclosing data is what caused the wrongful action – albeit that the way in which the data was handled and disclosed was not sanctioned by Morrisons and was, moreover, intended to cause them harm.
What does this mean for me?
This is an interesting decision, because the High Court had no difficulty in finding that an employee's actions were 'in the course of employment' and, therefore, subject to vicarious liability, even when those actions were deliberately intended to harm the employer.
Employers will need to take note of the High Court's comments on the management of data, especially ensuring that there are no 'weak points' in systems for protecting employees' personal details. One point the High Court made was that it may have been appropriate for a manager to check that data has been deleted by an employer – even though this could cause 'trust issues', this could be avoided if the employer fosters a culture in which there is an expectation that data management controls will be in place.
This, therefore, underlines the importance of not only robust data management policies and procedures, but also the necessity for those documents to be supported by a strongly embedded data protection culture. This will become all the more important in the coming months, as organisations prepare for the new General Data Protection Regulation / new Data Protection Act, which will come into force in May 2018. This reform will bring with it a requirement for greater data controls, increased transparency and more scope for data subjects to claim (currently it is only possible to claim against data controllers but this will be extended to include data processers as well). The financial impact of breaching the new data protection legislation will also increase in scope: fines under the GDPR are up to 20 million euros or up to 4% of total annual worldwide turnover. Please click here to read our five key GDPR points for HR and please see our Briefing this month on the GDPR and pensions issues.
Philip Woolham on how pension schemes should be preparing, ahead of GDPR implementation in May 2018.
On 25 May 2018, the EU General Data Protection Regulation (GDPR) comes into effect. The Data Protection Bill (Bill) currently going through Parliament will ensure that its provisions will survive the UK leaving the EU in March 2019. It will also provide useful further detail as to how the GDPR will work in the UK.
The GDPR and the Bill are intended to reflect the enormous changes in how data is handled over the past couple of decades. In particular it deals with the shift to most data being held digitally. This is often easier to transfer, to copy and in some cases to steal. The requirements apply equally to traditional, physical records too. The unlocked filing cabinet full of pension scheme members' records in the middle of a busy office is just as much a breach of the GDPR as allowing electronic records to be stolen due to poor online security.
The GDPR and Bill are to a large extent refinements and improvements to existing legislation. They use many of the same concepts. There are however significant changes that will affect pension schemes – employers, trustees and indeed members. This article cannot cover the whole of the GDPR and the Bill, but rather looks at some of key ways it will affect parties to pension schemes.
Understandably, a lot of focus has been on the maximum fines that can be levied – the greater of €20m or up to 4% of global turnover. These certainly concentrate the mind, although we should note that these are the maximum levels. More minor breaches will not attract these fines, any more than the Information Commissioner's Office (ICO) has routinely imposed the current maximum fines under the Data Protection Act 1998. That does not mean that we can relax, however, as the GDPR imposes some different duties compared to the current regime.
Firstly, data processors (for example if administration is sub-contracted to another party, whether that is the employer or a separate organisation) can now be fined directly by the ICO. Previously, only the data controller, in this case usually the pension scheme, could be fined directly. It is therefore important for administrators to make sure that they are compliant with the GDPR's requirements. Most administration agreements already allowed data controllers to recover fines and other costs from data processors.
These agreements may also need to be updated. The GDPR requires that contracts for data handling include specific provisions, including confirmation that the data processor is aware of and will abide by its duties under the GDPR. Whether you are a data controller or a processor, you may need to review any current agreements to see if they need updating.
Secondly, data controllers must provide individuals with far more information as to what data is held, and why it is held. Existing information provided may not be enough to meet the new requirements, so it is worth checking to see whether current communications need to be revised.
Thirdly, there are different and in most cases more stringent requirements to notify both the ICO and in some cases the affected members of breaches of the GDPR. Failure to do so can attract more fines.
But the biggest change under the GDPR relates to individuals' rights over their own data. In some cases, a data controller may need to seek consent to hold and to process data. This consent can't be assumed, for example if someone continues to pay into a pension once automatically enrolled. Consent must be explicit, and informed. A member will need to understand what data is being collected, why, and for how long the pension scheme will hold it. Only then can they consent.
This sounds like a minefield for pension schemes. Pension schemes are by their nature long-term. People leave their employment, move house and fail to keep in touch with their pensions. Unless a member transfers all of their funds out, the scheme must hold on to significant amounts of personal data, some of it probably sensitive personal data, for long periods. In some cases, in order to provide a member's and then spouse's or other dependants' benefits, data must be held throughout the member's life and beyond (although the data protection legislation only applies to living people). How is it possible to track down all those scheme members and their families?
Fortunately, while there may be times when consent will be needed, the GDPR and the Bill both provide other justifications for holding and processing data. In most cases, pension schemes will seek to rely on them. In particular, it is possible to hold and process data in order to fulfil a contract with an individual, and to fulfil a legal obligation towards an individual.
For pension schemes that are run under a trust, the contractual justification may not apply directly, but in many cases the scheme will be able to shown that it holds and processes data in order to fulfil a legal obligation – providing benefits to members and their dependants.
The Bill also makes clear that in many cases data can be held and processed for the purposes of providing pension benefits without consent. It is however important for schemes and employers to check that their processes do fall within the Bill's specific provisions if they intend to rely on this.
If your pension scheme is a contractually-run one, provided by a major insurance provider or similar, then the bulk of the work in relation to pensions will be done by that provider. You may be contacted by the provider in relation to the GDPR.
But if your pension scheme is a traditional, occupational one, usually under trust, then the trustees of the scheme in particular need to be sure that they are compliant with the GDPR's requirements. Are they, for instance, holding data for longer than is necessary (although this can be a long period in order to pay pensions and then benefits to family members)? Is the data properly secured, whether it is held physically or electronically? Who can access it, and why?
All of this sounds similar to current requirements, and it is. But the arrival of the GDPR is a good point to check that practices and systems are fit for purpose, particularly in the light of the increased fines.
If properly handled (and in particular in advance of the 28 May deadline, as there is no transition period), the GDPR is potentially less of a minefield than we might have feared. If schemes and employers have good data practices now, then while there will need to be adaptation, there need not be a revolution. But for those with patchy records, poor data security and ineffective procedures and practices, the risks and costs associated with data protection will increase significantly.
If you would like any further information on this, or any other, pensions issues, please do contact me.
Please click here for a briefing note which looks at the GDPR in the wider context of HR.
Please click here for Bevan Brittan's GDPR page.
Seasonal cheer from our news round-up comes in the form of updates on: the draft NHS Workforce Strategy; news of dramatic increases in tribunal claims; the latest on gender pay reporting; immigration reform for the New Year and gig working news. We also report on the Pensions Regulator showing its teeth and a workforce Brexit breakthrough on work and residency rights.
For the first time in nearly 25 years, a national draft NHS workforce strategy document for England has been published for consultation. The full document can be found here. It builds on the Health Education England (HEE) Framework 15, which was published in 2014. Consultation on the draft strategy, led by HEE, is open until 5pm on Friday 23 March 2018, and will take various forms, including regional events, web based discussion and social media. The final strategy will be informed by these discussions; the current draft is designed to present the facts and stimulate debate and covers
The impact of the Supreme Court's decision to quash employment tribunal / employment appeal tribunal fees is now making itself felt. Feedback from employment tribunal user group meetings is that the level of claims has increased significantly. The type of claims on the increase are unfair dismissal, unpaid wages and holiday pay claims – in other words, the types of claim which went into steep decline in the aftermath of fees being introduced. It therefore seems likely that HR and in-house legal teams can expect to see an increase in claim forms being issued next year, but probably mostly at the lower end of the cost and complexity scale. There are also likely to be delays in hearings being listed, because of a lack of judicial resources to deal with the increased volume of cases. We understand that a recruitment exercise for new judges may commence next year, but that will take a full year to complete.
In terms of how employment tribunals are dealing with claims which have been rejected because of non-payment of fees, these are being automatically re-instated. Claimants who are applying for claims to be allowed in out of time are having their cases tested under the usual rules around lodging claims out of time, i.e. the normal time limit will only be extended if it was not reasonably practicable for the claimant to lodge their claim within time (for unfair dismissal claims) or if it is just and equitable for the time limit to be extended (for discrimination claims).
Now that gender pay gap reporting is up and running, and the first gender pay reports are now being published, the Government Equalities Office (GEO) has produced a new toolkit for employers which provides action points for closing any gender pay gap which has been identified – and, as the report acknowledges – most employers will have a gender pay gap. The toolkit can be downloaded here.
As we reported in last month's Employment Eye, the Employment Appeal Tribunal rejected Uber's appeal against the decision that its drivers are workers rather than self-employed contractors (Uber BV and others v Aslam and others). Uber has decided to appeal that decision, and it was thought that the case would be sent straight to the Supreme Court, by-passing the Court of Appeal stage, using the 'leapfrog' procedure. It has been reported that the case will not leapfrog and will, instead, be heard by the Court of Appeal on a date yet to be announced.
The Pension Regulator has issued criminal charges against an employer who has failed to meet its auto-enrolment obligations, this time against a Birmingham social care provider. This is the second time it has used these powers.
Crest Healthcare and its managing director Sheila Aluko are both accused of accused of wilfully failing to enrol its staff in a pension scheme, and also of falsely claiming the company had enrolled 25 staff into a workplace pension as required under automatic enrolment rules. All employers must certify that they are complying with their duties, and it is illegal to make a false declaration. If the company and Ms Aluko are found guilty, falsifying a declaration will compound any failure to meet their auto-enrolment obligations.
This is another example of the Regulator showing its teeth. While it will always seek to advise and assist first, it does have the power to bring criminal charges against employers (including individuals) who deliberately fail to meet their auto-enrolment obligations. This is in addition to the civil fines it can impose for minor or serious breaches.
Both sets of employers who have been charged so far are in the 'middle tier' of relatively substantial employers. The Regulator has not as yet chosen to pursue any small employers, who have been required to comply with their duties more recently. But the fact that the Regulator will use its powers in this way must surely be a warning that all employers must comply with their duties at all times.
Incidentally, the defendants in the first case, Stotts Tours (Oldham) Mr Stott himself, pleaded guilty to the charges.
The government has announced a series of changes to the UK Immigration Rules, which will come into force on 11 January 2018. Applications submitted before that date will be processed under the Immigration Rules in force on 10 January 2018. The changes in full are published in the Statement of Changes to the Immigration Rules, which can be downloaded here. In summary, the key changes are:
In a significant post-Brexit workforce development, a joint report has been published by EU negotiators which deals with the settled status of EU workers after the UK has left the EU. The full report is available here and the key points are as follows.
Although this report provides some welcome clarity and the clearest indication yet of what the post-Brexit workforce landscape might look like, an important note of caution is that this is only an agreement in principle; it is not binding. It will be used as a basis for drafting the Withdrawal Agreement, but the final terms may differ from those set out above.
If you would like to discuss any of these topics, or any other aspect of Employment Law, please contact Head of Employment, Jodie Sinclair.